Command Description ------- ----------- add_group_user Attempt to add a user to a global group with all tokensadd_localgroup_user Attempt to add a user to a local group with all tokensadd_user Attempt to add a user with all tokens impersonate_token Impersonate specified token list_tokens List tokens available under current user contextsnarf_hashes Snarf challenge/response hashes for every token

Now you'll probably want to run commands as that user...I hope that was the point of all this...

After you load the incognito extension you'll get an extra option with your execute options (-t)

meterpreter > executeUsage: execute -f file [options]

Executes a command on the remote machine.

OPTIONS:

-H Create the process hidden from view.-a The arguments to pass to the command.-c Channelized I/O (required for interaction).-d The 'dummy' executable to launch when using -m.-f The executable command to run.-h Help menu.-i Interact with the process after creating it.-m Execute from memory. -t Execute process with currently impersonated thread token

We need to use the "-t" so we can use the impersonated thread token, otherwise you'll get a shell as SYSTEM or whoever you were.

Hey CG,Nice post, is there any easy way to become system from administrator and then use incognito. The impersonation has failed for me if I get a meterpreter shell as Admin user (e.g. by using msfpayload) and not as system by exploiting stuff.

I have tried becoming admin to system first and that worked, but then becoming system to some other user, again failed.